From: Aaron Campbell
Here's an exploit I wrote for the buffer overflow in ircd mentioned earlier
on the list by Andy Church. This will attempt to crash the daemon. Everyone
patch up.
---8<-------------------------- cut here ------------------------8<--------
/* ircdcrash.c by fx of nnh (aaron@ug.cs.dal.ca)
*
* Shouts out to: Punisher, TCroc, NC, gg, A-Flat, DBN3 crew.
*
* Thanks to Andy Church for addressing this problem on Bugtraq.
*
* There is a buffer overflow condition in the ircd/s_serv.c file of the
* ircd2.8.21 distribution and most likely exists in other versions. It is
* possible to exploit this by sending a very long string as the third
* parameter () to the SERVER command. Nothing particularly fancy here,
* this program will just attempt to segfault the daemon. Here is the syntax
* of the SERVER command:
*
* SERVER
*
* Here is the offending code, out of the m_server function:
*
* if (parc > 3 && atoi(parv[2]))
* {
* hop = atoi(parv[2]);
* (void)strncpy(info, parv[3], REALLEN);
* }
* else if (parc > 2)
* {
* (void)strncpy(info, parv[2], REALLEN);
* if (parc > 3)
* {
* i = strlen(info);
* (void)strncat(info, " ", REALLEN - i - 1);
* (void)strncat(info, parv[3], REALLEN - i - 2);
* }
*
* REALLEN is defined to be 50 in include/struct.h. Notice that in order for
* the second (and therefore third) if() statement to be executed,
* atoi(parv[2]) must NOT return a value. This means we must not send
* numeric characters as the second parameter (), but we must send
* 50 characters to ensure REALLEN - i - 2 will be less then 0.
*
* See Andy Church's post on Bugtraq for a patch.
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
[snip...]
if ( argc < 2 ) {
printf("Usage: %s \n", argv[0]);
exit(1);
[snip...]
---8<-------------------------- cut here ------------------------8<--------
---
Aaron Campbell (aaron@ug.cs.dal.ca)
Dalhousie University, Halifax, Nova Scotia
|